The European Union (EU) has proposed updated regulations regarding the private lives of citizens. These regulations involve two separate but related documents, the GDPR (General Data Protection Regulation), and ePrivacy (longer name “Regulations on Privacy and Electronic Communications”), a new proposal superseding a similar regulation written in 2009. But how does this regulation affect you?
Lawmakers in the EU determined that revisions were needed for protecting information in instant messaging, voice over IP, web-based e-mail services, and text messages. Both regulations revolve around privacy, data, and the integration of all laws pertaining to these. The regulations overlap in many areas and the comprehensive ePrivacy proposal, when adopted, will largely replace the GDPR in the area of applicability.
GDPR
The GDPR is the current regulation in European Union law that sets protections for the data and privacy of all individuals in the EU and the European Economic Area (EEA). The primary focus of the GDPR is to provide individuals control over their own personal information. It also:
- contains requirements and provisions that pertain to processing individuals’ personal data inside the EEA
- pertains to an enterprise—a business or other organization—that was established within the EEA or one that is processing personal data of people inside the EEA, regardless of peoples’ citizenship and the enterprise’s location
- simplifies regulations regarding international business by unifying the directive within the EU
The GDPR attempts to align data privacy laws in all EU countries. A major improvement over previous versions of the law is that it protects the processing of any EU citizen’s data, regardless of whether companies or organizations are processing communications inside the EU or outside of it and regardless of where that company or organization originates from. The GDPR also expands the concept of traffic data so that it includes all metadata that any company or other entity derives from communication. The law protects any EU citizen’s data from any company in any part of the world, and the GDPR mandates that websites and businesses that obtain information from a user maintain the data and make it easy for users to access it.
The GDPR was written in 2016 and went into effect in May, 2018.
ePrivacy
The new ePrivacy regulation is a proposal intended to strengthen protections for the citizens of the EU and, at the same time, create opportunities for business. The main issues the proposal addresses are use and practices that relate to cookies and marketing opt-in requirements (see details below). The proposal also seeks to align the privacy rules that now exist across the member states of the EU. The ePrivacy regulation would override some aspects of the GDPR and would add the above-mentioned requirements about electronic communications that are considered personal information and about consent for using opt-outs and cookies.
The ePrivacy document states that its main purpose is to “increase trust in and the security of the digital services”. Further, it “ensures the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications, and the protection of personal data in the electronic communications sector. It also guarantees the free movement of electronic communications data, equipment, and services in the Union [EU]. It implements … the fundamental right to the respect for private life, with regard to communications.”
Even though many organizations already comply or partially comply with the principles the regulation sets forth, the regulation seeks to create a level playing field for businesses and others who use private communications. It does this by “avoiding divergent interpretation in the Member States” and “ensur[ing] an equal level of protection for Union users and lower[ing] compliance costs for businesses operating across borders.”
Details of ePrivacy
The ePrivacy regulation protects a user’s privacy at each stage of each online interaction. The regulation requires permission to access any form of communication. This includes text messages and emails. Businesses must obtain permission from each account holder before sending texts or emails. Users can change the software and the browsers that tracks cookies to reflect the user’s needs. This eliminates the parades of popups requesting consent to use cookies on individual websites; previously, regulations made each website request the capability to use cookies from every user. Another aim is to broaden the scope of previous regulations so online communication providers fall under the same rules as conventional telecommunications providers. Companies such as Skype, Gmail, WhatsApp, and Facebook’s Messenger are required to provide the same data safety protection for customers as brick-and-mortar providers. Those who offer electronic communications services must secure all communications through best-available methods. This compels websites to remain in sync technologically with the most up-to-date safety standards. ePrivacy also forces providers to treat metadata the same as the content of communications, and no person or organization can intercept any communication except if an EU member state authorizes it under the law, such as in a criminal investigation.
The proposal is slated to go into effect sometime in 2019.
Summation
These regulations define situations that a user of electronic communication devices might enter into. The laws work together, ensuring that users maintain control over their information and that the onus is on websites to maintain all user information safely. This includes any metadata that websites derive from that information. The regulations create ownership over an IP address and other Internet identifiers, which helps strengthen the rights of Internet users within the EU. The laws also make these definitions and requirements uniform across the EU so businesses know what they need to do to comply and to avoid redundancy.
With ePrivacy adding another level of responsibility to data processing, now is a perfect time to see how Kentico’s GDPR and Data Protection app can make your digital life less painful. Check it out here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to data protection compliance.